Next.js Discord

Discord Forum

How can I find and trigger Server Actions directly, bypassing middleware protected pages they're on?

Unanswered
Spectacled bear posted this in #help-forum
Open in Discord
Avatar
Spectacled bearOP
As far as I am aware, server actions are not protected by middlware, leading to this guidance: https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#authentication-and-authorization

I am looking for a demonstration on how server actions which do not ensure that the user is authorized can be exploited.

3 Replies

Avatar
one example on how to exploit server actions is here: https://github.com/vercel/next.js/issues/63804
Avatar
server actions are protected by middleware, actually. the warning there is for people who are not using middleware for authentication and making the mistake that simply by guarding the page running the server action, they think they already secure the server action. the server action auth is entirely different from the page's auth.

server actions are just POST requests sent to the same path as the page triggering it (so if you run a server action on page /foo, it will be a POST /foo). POST requests are properly managed by middleware just like GET requests. of course this assumes your middleware logic is correct.

i realised message above contains a mistake. revision coming soon.
Avatar
alright, so server actions are POST requests sent to the same path as the page triggering it. so in your app, the protected server action is only triggered from a page protected by middleware. but that's not a guarantee, since a bad actor can always just grab the action ID and use it to POST to a public page not guarded by middleware. since the action ID still matches and POSTing to any pages is allowed, the server action will be able to bypass the middleware.

that is what can happen, theoretically. however when i try to make a quick reproduction, the outcome is that your server will throw an internal error with ⨯ uncaughtException: [Error: aborted] { code: 'ECONNRESET' }. still a bad thing nevertheless.

anyway yeah, theoretically speaking, from how server actions work, there is no guarantee that the middleware protecting the page calling the server action will be able to protect any valid server action requests coming from potentially malicious actors.